hxxps://sites[.]google[.]com/view/ex1aucnh3r/home

Analysis

max time kernel
112s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sites.google.com/view/ex1aucnh3r/home

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 sites.google.com
11 sites.google.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

flow	ioc
7	sites.google.com
11	sites.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

2632 msedge.exe
2632 msedge.exe
2676 msedge.exe
2676 msedge.exe
220 identity_helper.exe
220 identity_helper.exe
2240 msedge.exe
2240 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2676 msedge.exe
2676 msedge.exe
2676 msedge.exe
2676 msedge.exe
2676 msedge.exe
2676 msedge.exe
2676 msedge.exe
2676 msedge.exe
2676 msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe

pid	process
2632	msedge.exe
2632	msedge.exe
2676	msedge.exe
2676	msedge.exe
220	identity_helper.exe
220	identity_helper.exe
2240	msedge.exe
2240	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

7zG.exe7zG.exe7zG.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	5720	7zG.exe
Token: 35	5720	7zG.exe
Token: SeSecurityPrivilege	5720	7zG.exe
Token: SeSecurityPrivilege	5720	7zG.exe
Token: SeRestorePrivilege	5812	7zG.exe
Token: 35	5812	7zG.exe
Token: SeSecurityPrivilege	5812	7zG.exe
Token: SeSecurityPrivilege	5812	7zG.exe
Token: SeRestorePrivilege	6104	7zG.exe
Token: 35	6104	7zG.exe
Token: SeSecurityPrivilege	6104	7zG.exe
Token: SeSecurityPrivilege	6104	7zG.exe
Token: SeRestorePrivilege	5332	7zG.exe
Token: 35	5332	7zG.exe
Token: SeSecurityPrivilege	5332	7zG.exe
Token: SeSecurityPrivilege	5332	7zG.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

msedge.exe7zG.exe7zG.exe7zG.exe7zG.exe

pid	process
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
5720	7zG.exe
5812	7zG.exe
6104	7zG.exe
5332	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2676 wrote to memory of 952	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 952	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1904	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 2632	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 2632	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe
PID 2676 wrote to memory of 1292	2676	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://sites.google.com/view/ex1aucnh3r/home
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5f9f46f8,0x7ffd5f9f4708,0x7ffd5f9f4718
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1942129573637845236,16185225087823999456,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:5176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x3e4
1⤵
PID:4164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2484

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ExLaµñch€r\" -ad -an -ai#7zMap14982:82:7zEvent8661
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5720

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap11095:82:7zEvent7599
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5812

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ExLaµñch€r\ExLaµñch€r\ExL@unch3\" -ad -an -ai#7zMap3164:124:7zEvent13839
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6104

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ExLaµñch€r\ExLaµñch€r\ExL@unch3\Pass$word —-— 1231.txt
1⤵
PID:1488

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ExLaµñch€r\ExLaµñch€r\ExL@unch3\ExL4uncher\" -ad -an -ai#7zMap28555:146:7zEvent22323
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
b7425cbf9548c3a3f3a811619a131fd8

SHA1
3811a9069c6e11a362f71a75cc433b7c21533686

SHA256
a26f72f5d786856d2aba0982dead8223a010fa529f04973da0e893e5fdd97eae

SHA512
5f40a8911dd6c585a9916fc730e8b728d850483535b677acfacc4633f3d96bc47888312721f0f2a19382beab8d743a284fe3f00e3d16bd01c714e33a4dd26bb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c558aed95078b5c336512937269b0fd3

SHA1
a6f42f700c14c2d7678fb56c59612794c855a8e8

SHA256
70fd302414bd50d2aea1fb8264e3d0b7bee1423f307b754815b5bf998ee8fa4b

SHA512
7214eccdb6409a1b0f07329f44a1179b59a5d36c1fd5dfa14b85554a6bc6f47732f2c992bd79430dc40a1925f8bb1d0467dc864a5fb8aa79e6fbc4e262545ce2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
736f12663694e1358abc0cb78b9a31be

SHA1
57e117925d39590ffd9eb2926b5f1af53022f35e

SHA256
4cbba8e4ded126c1f6ceae0b2272e0963299128e70b9a53693860e9b38a05f2a

SHA512
26289a6270257921f9ae682a9eb4df83fd0113bde592c4944840de9d512f40c7d8e4e5d00ee3390c6fe2ef3755ea731799ce62a1406848af5cd5b6612f5bcfda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cee3d54fa0c9b4bff6deb6ae26472ee4

SHA1
2b61dceb3efa9a1bbb2e1f9bbad0c7c98d89657b

SHA256
bbdfd6f4908ef9284dc269fd4db54b1040a0903572360927f0861b075201b6f0

SHA512
8ed118b9dfb1c99e3d9199bd1c8a4ca9622f7b4f688b30223c6c3a40396aec109f2c172b74cb92895bcc7397d55174c2b1a922952ad09879bd915a6bfb61a1a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
082d89ccbe425152de88a9d249ba8884

SHA1
718a0f0b15b245a48a42703ba2b57d63ef122651

SHA256
6887e2354f574a0ba428852135925d3653b5df4ec53ea45ac4d362f807b6869e

SHA512
45c07049268560f6492ac8883cb6b6409340909d6bbf3bf0bf75f9c9e27daa999882dc063c8f8c7e81f3bc7399b69da9e3f658e2b88073660858bb419e7e6383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6b889943137ee6663ba54ebf2a4c5206

SHA1
eefbcddd286fd353feb0d4cd30610ef1d2e4e569

SHA256
30205c3a8a2888c3c32b6b849df1ff04558390b80c7840c2680b45596a6dde1f

SHA512
4daa285c7b2eeaee090cf34f1495dd111e391ecd7e416859273558ad03166033c5da054f39f7fe474316b431c437372a362cb39d02b6030b132757816d067dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ff71b.TMP

Filesize
48B

MD5
23bf91539e432abe6dde117af680b169

SHA1
9a37ea9d26e30e3058349b65b6404078332bb999

SHA256
a2963c134d47727871b1f20dd97ca6b1a2b8d025c1804abeff98b6695ae3430b

SHA512
953b57302711851a5684e1154aaf27132bc2323c61ccf0335d30939726754771a4bd1ba4f9c819f96964e661da291942ca8887c7d6f73b8d15bb89218557676f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5a709452bcb3bc45e3c799e0e30b4e30

SHA1
edfd419e2389577d6cfad012bafba34e693719dc

SHA256
d82734a283da8b4a01938ed2904ba13c06c5fb31292b133cc6fdfb2105185611

SHA512
fe96a95f7210b47f26594d213b80d06c3055ea57d1b8abc9a4b54c2e12e707b6dd3db8b0ba91141fbbced90a83b612837ba7b7c66f22efc32e0657c4071d6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9b6d2a359227436955cc324890280198

SHA1
e2bf7f9172a04cc687783ee99d26c77fb6154236

SHA256
d4eb5012b8cda848a1655f2735a66ca9b38bfd93c786c5e5e7aa47936664041b

SHA512
625b74ff9b5b9f17cbf089e1be5db95349be48f4698c8f3ef180114e17b4fb0a8e5753d3fd6a2e0eac2109080503dccb37cc70e96c125d2db3883ea01304cfde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7619ca15a5a938d39785ce5d24d2c0a0

SHA1
2d1b772f43c40fb4d66c4160b750df5d2daa9b62

SHA256
19a250e8fa91336c4757f957e8d204c0f7d3f8baf41e5c59888e1884a33bebfe

SHA512
c6bd5d0b055176983e14f7faa1d635a403ba427e2fd10abb1dd72d2cdc8ed36e1d013de8647365749cb566b42738a6f43bd5624d6706197de84ca03dfa822399

Download Submit
C:\Users\Admin\Downloads\ExLaµñch€r.zip

Filesize
5.1MB

MD5
f8c4b00b0ee4462714cc36f6b741cd10

SHA1
4edbbcb932489d47d5634c616e9a250f175e463d

SHA256
84f9cc60c8c03b1572891d6064374ea16aa5e2b916affd17c3e55a22d96a3747

SHA512
394a9a54335d885acdb74cc2973d4eae9b778ce6142e819d4398763b356744216dba9240582359b3fd7e67fec81728c76ed59770180252d9655072894d21d40f

Download Submit
C:\Users\Admin\Downloads\ExLaµñch€r\ExLaµñch€r\[email protected]

Filesize
5.1MB

MD5
b51ba1389a0ea1753f47112a4f087e6c

SHA1
45a055b8d3a0d2f6913ae13769e5060565852f3c

SHA256
de446c7f3b8d4a3a6e7993b7e665ceb58b875a40bbbbb0b75e610a9b568c8658

SHA512
6cadc2ae1078f491f96a71544f20d6be80b68086660fef6efb5d41eee6aab1e50e0e7421aa9225a0452df2a1a995bd3f2db58587dad2d7bcd1b1e2fabd01bc88

Download Submit
C:\Users\Admin\Downloads\ExLaµñch€r\ExLaµñch€r\ExL@unch3\ExL4uncher.rar

Filesize
5.1MB

MD5
e0f65d9e55e978b7d1aa6932723f63a2

SHA1
552e52b378f536309c264974c029bcb09fe293ca

SHA256
b89916df09a8b5f955fe6b425fea883aebfaa326a5136314456905e67bb71f48

SHA512
68fc2b7db314bdc3a378c4dfe018862ebb98b088d87c684a6ba335f1e69d8f5a8103b166644fdff15de4d6d67be143066b13245bb08577e638a6b5a46d7f522a

Download Submit
C:\Users\Admin\Downloads\ExLaµñch€r\ExLaµñch€r\ExL@unch3\Pass$word —-— 1231.txt

Filesize
7B

MD5
02a05c6e278d3e19afaca4f3f7cf47d9

SHA1
c967199bd48c4fc4ccbeeb264f7bdbe3fa2d697f

SHA256
67a619457aae3e869af3e7c92078424a773397c1520a9cec76fde54ee8350137

SHA512
fba611d2b164c2e84c4985df4e259c25c7b0be61a8e383d5e650bdeeab712fcc122887c85850a8ae06e9022eba2c5392f676a14e3c9e1b0e1542bf2d76e43de5

Download Submit
\??\pipe\LOCAL\crashpad_2676_MSLTGSILSAQXWILI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit